On an analysis done on company attacks, the majority of the company attacks resulted from employees. When vulnerabilities are weighted, employees are found to be a company’s largest vulnerability when it comes to online security. As much as people are an organization’s greatest asset, they may also be the reason why a company can make losses easily through an attack.
Eddie Schwartz, a chair of a cybersecurity council, noted that security breaches that happened in the course of the last five to seven years, they were enabled by people. Either through intentional or accidental introduction of malware to the company and hence they represent the single point of failure in regards to security vulnerabilities.
Most companies do not train employees on matters of cybersecurity, and when they do it it’s once a year, and that is not sufficient. Wesley Simpson, the COO of ISC2 pointed out that companies should also perform people patching which is similar to patching and updating systems continually. Cybersecurity vulnerabilities occur continuously, and hence employees should also be trained regularly to know them and hence mitigate or avoid them at all. Simpson also added that lie assets, people should be invested in continuously. It’s worth to train employees rather than taking on a risk of breach of security and other vulnerabilities which are expensive to the company.
As much as employees represent a large potential attack, they should not be seen as a security vulnerability. This encourages the victim mentality to be at blame every time an attack happens. This is where the security team should step in and ensure every company asset is protected from cybersecurity attacks including employees. Since users(employees) are actors when it comes to cybersecurity vulnerabilities, the security team should make sure that employees are alert and proactive to mitigate or avoid cyber attacks and also take preventative measures when an attack has happened. Below are tips to ensure that employees are on the alert, follow the required best practices and also understand cybersecurity.
Perform a simulated attack
Popularly known as live fire training, a simulation attack is the best way that makes sure employees know what to do. The best thing about simulated attacks is that they can be tailored to fit every employee or department in an organization. The simulated attack is in such a way that the employee becomes a victim of an attack and then later on after the attack, the employees are then gauged on how they performed and then told/educated on what to do next time an attack happens. The simulated attack can include phishing tests since they are loopholes which many employees fall victim for.
The simulated attacks can be performed by a company’s security team or a hired third-party vendor. Vendors are great since they will test even your security team and gauge on how they will respond to an attack.
Raise awareness during the hiring process
Employees should be made aware of cybersecurity and its threats from the first time they are hired. This helps create a cybersecurity awareness throughout there stay in the organization and makes training to be easy.
Involve the top management
The chief information security officer (CISO) should make sure that other chief executives are made aware of cyber security and are also trained. They should also be made aware of potential breaches and their ramifications. This makes sure that the CISO will have a good cyber plan include the budget and the prerequisites required for the training.
For anything to be a success, there must be a form of communication that relays information efficiently. There must be a plan on how the communication should be done to get all departments ready and onboard with the training process. A good communication plan can result in the best cybersecurity practices.
Evaluate the employees
Employees should also be evaluated as well as systems. This is important in order to find out flaws and security-related vulnerabilities that might be fatal in case an attack happens. Without evaluations, the company won’t be able to know what to patch, what’s good and what’s might impact the organization negatively.
Conduct continuous training
After an evaluation, the security team might know the cybersecurity state of the company. Even if it turns out to be good, the best practice is to continue training the employees, and cyber security vulnerabilities keep evolving. Continuous training can vary and depend on different security attacks such as those associated with email attacks and phishing for end users, and more technical attacks for the IT department. The company should update the training in relation to the evolvement of the threat landscape.
Create a formal plan that advocated for a cybersecurity culture
The security or the IT team should come up with a documented and detailed formal plan that’s updated and reviewed often. It has to include the latest information on risks and other attack vectors. This plan should also advocate for cyber security culture. This is possible by appointing cybersecurity advocates in every department the company. The advocates can also work hand in hand with the CISO to oversee and implement the cyber security culture.
Let the employees know the importance of security both at work and home
The security team should help the employees understand that security should be maintained not only at the organization but also from everywhere else. Educate them on how attacks from home or anywhere else can propagate themselves into the office. This will help them appreciate the importance of cybersecurity training as it is also beneficial to them as well.
Reward employees accordingly
Much like a bug bounty program from Google, security teams should stage vulnerabilities and attacks on the organizations. Then they should reward users that find the vulnerability or the attacks. A simple drill may include sending a malicious phishing email and the employee who reports it first gets rewarded, any other employee who reports it also gets rewarded. With this program, employees are likely to report a security threat to the security team and hence avoid an attack.